On Tue, Feb 26, 2002 at 12:45:26PM +0530, Raghu Babu wrote:
> Hi,
>
> Yes we need aci for keeping dynamic permission at the runtime of ldap
> server without restarting server, the right should get activted
>
> I have tried the solution with your approach but still I am not able to
> authenticate to ldap server.
>
> The following entry I added in ryagnik
> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#group#cn=admins,ou=groups,o=waterford.org
> also I created group by name cn=Admins,ou=groups,o=waterford.org
> & added ryagnik as member to that group
> I also tried
> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#self
> OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#access-id#uid=ryagnik,ou=people,o=waterford.org
>
> But still I was not able to authenticate ryagnik to ldap server I am
> getting the error insufficient access rights
> I think it's related with anonymous rights for ryagnik
Yes, you are right I forgot about that. In order to authenticate against an
entry you need give "auth" access to the "userPassword"-Attribute of that
Entry, to the user "anonymous". So your ACLs would look like this:
access to attr=userPassword
by self write
by anoymous auth
by * none <- You may want to add a "break" statement
here, if you want to give access to the
access to * "userPassword"-Attribute for other users
by aci write through the ACI.
--
Ralf Haferkamp
SuSE GmbH - The Linux Experts -
Deutschherrnstrasse 15-19 http://www.suse.com
D-90429 Nuernberg, Germany Tel: +49-911-74053-0